US11516023B1ActiveUtility

Client side certificate revocation service

92
Assignee: SNOWFLAKE INCPriority: Oct 31, 2021Filed: Nov 5, 2021Granted: Nov 29, 2022
Est. expiryOct 31, 2041(~15.3 yrs left)· nominal 20-yr term from priority
H04L 67/02H04L 9/3297H04L 67/1097H04L 67/289H04L 9/3268
92
PatentIndex Score
2
Cited by
13
References
15
Claims

Abstract

A proxy revocation service provides a reliable service for performing revocation checks. The proxy revocation service queries public certificate authorities for the revocation status of a set of digital certificates and maintains a database of the revocation statuses. The proxy revocation service provides a singular endpoint that is Application Protocol Interface (API) accessible to web clients. Web clients communicate with the proxy revocation service through use of API message to perform revocation checks, rather than communicating with the public certificate authorities using an online certificate status protocol (OCSP). Use of the proxy revocation service provides both a reliable service for performing revocation checks as well as shifts the complexity away from the web clients.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 receiving, by a client device, a digital certificate from an online service as part of a process to establish a secure connection between the client device and the online service; 
 querying a local cache of the client device for a revocation status of the digital certificate; 
 in response to querying the local cache, transmitting, by the client device, a revocation check request for the revocation status for the digital certificate, the revocation status indicating whether the digital certificate has been revoked, the revocation status having been obtained from a certificate authority by a certificate revocation service using an online certificate status protocol (OCSP), the certificate revocation service being separate from the client device and the certificate authority; and 
 determining, by one or more computer processors of the client device, whether to establish the secure connection between the client device and the online service based on the revocation status of the digital certificate by: determining that the digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open; and 
 in response to determining that digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open, disconnecting the client device from the online service. 
 
     
     
       2. The method of  claim 1 , further comprising:
 transmitting the revocation check request to the certificate revocation service, the revocation check request directed to a uniform resource identifier (URI) designated to the certificate revocation service; and 
 receiving the revocation status from the certificate revocation service. 
 
     
     
       3. The method of  claim 1 , further comprising:
 determining that the revocation status is available in the local cache; and 
 determining whether the revocation status has expired. 
 
     
     
       4. The method of  claim 3 ,
 further comprising: 
 determining that the revocation status of the digital certificate in the local cache has expired, 
 wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate in the local cache has expired. 
 
     
     
       5. The method of  claim 1 ,
 further comprising: 
 determining that the revocation status of the digital certificate is not available in the local cache, wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate is not available in the local cache. 
 
     
     
       6. A client device comprising:
 one or more computer processors; and 
 one or more computer-readable mediums storing instructions that, when executed by the one or more computer processors, cause the client device to perform operations comprising: 
 receiving a digital certificate from an online service as part of a process to establish a secure connection between the client device and the online service; 
 querying a local cache of the client device for a revocation status of the digital certificate; 
 in response to querying the local cache, transmitting a revocation check request for the revocation status for the digital certificate, the revocation status indicating whether the digital certificate has been revoked, the revocation status having been obtained from a certificate authority by a certificate revocation service using an online certificate status protocol (OCSP), the certificate revocation service being separate from the client device and the certificate authority; and 
 determining whether to establish the secure connection between the client device and the online service based on the revocation status of the digital certificate by: determining that the digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open; and 
 in response to determining that digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open, disconnecting the client device from the online service. 
 
     
     
       7. The client device of  claim 6 , further comprising:
 transmitting the revocation check request to the certificate revocation service, the revocation check request directed to a uniform resource identifier (URI) designated to the certificate revocation service; and 
 receiving the revocation status from the certificate revocation service. 
 
     
     
       8. The client device of  claim 6 , further comprising:
 determining that the revocation status is available in the local cache; and 
 determining whether the revocation status has expired. 
 
     
     
       9. The client device of  claim 8 ,
 further comprising: 
 determining that the revocation status of the digital certificate in the local cache has expired, 
 wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate in the local cache has expired. 
 
     
     
       10. The client device of  claim 6 ,
 further comprising: 
 determining that the revocation status of the digital certificate is not available in the local cache, wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate is not available in the local cache. 
 
     
     
       11. A non-transitory computer-readable medium storing instructions that, when executed by one or more computer processors of a client device, cause the client device to perform operations comprising:
 receiving a digital certificate from an online service as part of a process to establish a secure connection between the client device and the online service; 
 querying a local cache of the client device for a revocation status of the digital certificate; 
 in response to querying the local cache, transmitting, by the client device, a revocation check request for the revocation status for the digital certificate, the revocation status indicating whether the digital certificate has been revoked, the revocation status having been obtained from a certificate authority by a certificate revocation service using an online certificate status protocol (OCSP), the certificate revocation service being separate from the client device and the certificate authority; and 
 determining whether to establish the secure connection between the client device and the online service based on the revocation status of the digital certificate by: determining that the digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open; and 
 in response to determining that digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open, disconnecting the client device from the online service. 
 
     
     
       12. The non-transitory computer-readable medium of  claim 11 , further comprising:
 transmitting the revocation check request to the certificate revocation service, the revocation check request directed to a uniform resource identifier (URI) designated to the certificate revocation service; and 
 receiving the revocation status from the certificate revocation service. 
 
     
     
       13. The non-transitory computer-readable medium of  claim 11 , further comprising:
 determining that the revocation status is available in the local cache; and 
 determining whether the revocation status has expired. 
 
     
     
       14. The non-transitory computer-readable medium of  claim 13 ,
 further comprising: 
 determining that the revocation status of the digital certificate in the local cache has expired, 
 wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate in the local cache has expired. 
 
     
     
       15. The non-transitory computer-readable medium of  claim 11 ,
 further comprising: 
 determining that the revocation status of the digital certificate is not available in the local cache, wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate is not available in the local cache.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.